Baseline legal protections for privacy have been evolving in the United States over the last 100 years. Yet in Washington, D.C., U.S. state capitols, and internationally, many politicians and bureaucrats are seeking to protect privacy without knowledge of fundamental protections for privacy in the United States: the state privacy torts.

The common law is the legal tradition that the United States inherited from England in colonial times. During the last century, American common law developed a body of privacy-protecting theories that give people whose privacy has been invaded the right to sue and collect damages.

The state privacy torts provide explicit legal protection for privacy in the United States and, at the same time, they allow beneficial uses of information to go forward. This protects people while fostering innovation. Most proposals to protect privacy by administrative regulation would cut off or seriously curtail many beneficial uses of information.

The state privacy torts have many ramifications for current privacy debates. Foremost, legislators and bureaucrats at the state, national, and international levels should be aware that U.S. privacy law is not a vacuum. Numerous laws protect privacy by backing up individuals’ privacy-protecting decisions. Numerous laws prevent harmful uses of information unrelated to privacy. And the state common law torts provide explicit legal protection for privacy.

The relative ignorance of many legislators to our nation’s baseline privacy protections is not their fault alone. Privacy advocates and others have helped to foster the impression that there is no law protecting Americans. This is a violation of the trust that many have placed with them. Substantial criticisms of the privacy torts can be made, but they should be made directly, rather than by telling the press, the public, and public officials that no privacy protecting law exists in the United States.

Litigation using the privacy torts is a superior option to highly regulatory proposals that would attempt to protect privacy by dictating information practices to consumers and businesses. The existence of the privacy torts should also weigh heavily on debates about whether new federal law should preempt existing state privacy law.

Now and forever, empowered and aware consumers are what will deliver privacy on the terms consumers desire. As consumer awareness continues to grow — awareness of the real threats to privacy, the laws that protect against various harms, and now the explicit protections for privacy in state law — they will be able to transact their business with confidence that privacy is available to them on the terms they want it. The state common law privacy torts are a part of delivering privacy to all Americans.

The Common Law of Torts

In American law, a tort is a private or civil wrong or injury. It is the violation of a duty that the law imposes upon all persons in a certain situation or in a certain relationship to other people. A person commits a tort when he or she performs an act that is recognized by the law as wrongful toward others and for which the remedy is a private legal action.

For example, the law imposes a duty on all people not to do violence to others. When a person fails to uphold this duty, by punching someone, for example, this is a tort called “battery” — the second half of “assault and battery.” Battery is defined as an intentional and wrongful physical contact with another person, without his or her consent, that causes injury or offense.

A tort is not necessarily a criminal violation, though some torts are both civil and criminal wrongs. Battery is an example. Someone who has committed a battery may be arrested and charged for the offense by public authorities, or he or she may be sued in a civil court by the victim of the battery. The main thrust of the tort law is not criminal punishment. It is to provide injured parties relief and compensation for the harms they have suffered. Someone who is the victim of a tort has a “cause of action.” This means that he or she may go to court, sue the person who caused the harm, and, if the suit is successful, collect damages.

The general tort law in the United States has been detailed in a document called the Second Restatement of Torts, issued by the prestigious American Law Institute. The ALI was organized in 1923 to address the uncertainty and complexity in American law. Between 1923 and 1944, Restatements of the Law were developed for many areas of law, including torts. Many judges and states recognize the Restatement as an influential guide to the law. In 1952, the organization began a second round of Restatements, and the Second Restatement of Torts remains authoritative today. A third series of Restatements was begun in 1987.

The law of torts is largely a product of the common law, which the United States inherited from England during the colonial period. Common law derives from generation after generation of judicial decisions extending back into pre-history. Judges in common law courts draw on precedent from past cases to determine the just course in present cases. The common law generally reflects the longstanding historical usages and customs that have protected individuals and their property in our society. When it has not been reissued in legislative enactments, common law draws its authority from both its deep roots and its close relationship to western notions of fairness and justice.

Common law is distinct from civil law, which is the dominant legal tradition in continental Europe. Civil law is generally comprised of statutes and codes written (historically) by emperors and kings, and (today) by legislatures. In the past, civil law catalogued the norms of a relatively static society. Modern civil law reflects the best efforts of legislators to articulate the law that will serve all of a society’s diverse interests going forward. Bright minds must try to figure out in relative abstraction what the law should be. It takes extraordinary, perhaps impossible, prescience to write from scratch the law that will serve all the interests of a fluid, dynamic society.

Though it does so slowly, the common law evolves and changes as conditions change or as history reveals past decisions to be unjust. Some lines of cases die out; others join together to form new legal theories. The common law incorporates the wisdom of generations of judges, and the lawyers who have argued before them, working through real controversies between real litigants to balance competing interests and achieve just results in an evolving society.

In his influential book, The Common Law, United States Supreme Court Justice Oliver Wendell Holmes, Jr. said famously of the common law, “The life of the law has not been logic: it has been experience.” This can be read as a comparison of civil law and common law, and a ringing endorsement of the latter.

The Privacy Torts

One relatively recent change in the common law has been the emergence of the American privacy torts. Unlike many other torts, which have ancient roots, the privacy torts have a discrete foundation that is only a little over 100 years old: an article called The Right to Privacy, published in the 1890 Harvard Law Review.

The authors of the article, Samuel D. Warren and Louis D. Brandeis, were concerned with the rise of newspapers, photography, and other technologies that have the potential to expose people’s images and personal information to the public. Warren and Brandeis argued that the next step in evolving legal protections for the individual should be explicit protection of privacy. The two compared the contours of explicit legal privacy protection to the law of defamation, to physical property rights, to intellectual property, and to the law of contracts.

Their key concern was with publicity given to sensitive personal information — undesirable and embarrassing scrutiny of private life by the press and public. (Warren and his family, notable Boston “blue bloods,” had been embarrassed and annoyed by newspaper coverage of their lives. ) Privacy as discussed by Warren and Brandeis did not extend to matters that were of legitimate public or general interest. And publication of facts by the individual concerned, or with that person’s consent, cut off that person’s right to privacy in that information.

In 1960, eminent legal scholar William L. Prosser documented how privacy as a legal concept has come to constitute four distinct torts. That is, a person whose privacy has been invaded in any of four different ways can sue the invader for damages. These torts still exist today, and are roughly contoured as follows:

Intrusion upon seclusion or solitude, or into private affairs;

Public disclosure of embarrassing private facts;

Publicity which places a person in a false light in the public eye; and

Appropriation of one’s name or likeness.

A partial list of key state cases, statutes, and other sources having to do with the privacy torts can be found in the Appendix to this paper.

Prosser was not totally enamored with the privacy torts. The link among them — the idea that people have a right “to be let alone” — is slightly tenuous for legal theory. Prosser warned that the different ways each branch of the tort might apply could easily lead to confusion.

Intrusion

The tort of intrusion had its foundation in wrongful entry upon places were private life was being conducted. An early precursor, for example, was a case involving a man’s entry into a room where a woman was giving birth. The principle has been carried beyond places and belongings and an intrusion tort may occur when someone eavesdrops using microphones or wiretaps, and when someone peeps through the windows of a home.

An intrusion probably has not occurred when someone makes excessive noise or exhibits bad manners and obscene gestures. The intrusion tort is not implicated when the matters observed can not be accurately called “private,” as when someone is observed or photographed on a public street.

Public Disclosure of Private Facts

The public disclosure of private facts cause of action is probably most like what Warren and Brandeis worried about in their Harvard Law Review article, and it is important today because large amounts of personal information can be collected and disseminated using digital technologies. It allows a person to sue if highly sensitive information about him or her is publicly disclosed. Early cases involved revelation of a woman’s past life of prostitution in a movie that identified her by name, publicity given to debts, and publicity given to medical pictures of a person’s anatomy.

There are some key limitations on the disclosure tort. First, the disclosure of private facts must be a public disclosure, not a private one. In other words, communicating information to small groups or legitimately interested parties is unlikely to be actionable. Second, the facts disclosed must be private facts. Publicity given to information that is open to the public eye will not give the subject of the publicity a cause of action. Third, making the information public must be an act that would offend a reasonable person of ordinary sensibilities. A person with peculiar sensitivity to exposure will not be able to successfully sue someone who publicizes unremarkable or clearly favorable personal information.

False Light

The false light privacy tort protects people against being cast in a false light in the public eye. It has often been used when people’s photographs have been exhibited in ways that create negative inferences about them. People have successfully sued when they have wrongly been associated with cheating taxi drivers, “profane” love, juvenile delinquents, or drug dealing. Like the disclosure tort, a false light complaint must be about publicity given to negative implications that would be objectionable to the reasonable person. The subjective feelings of the highly sensitive are not protected. The tort is similar to defamation, but it goes more to the peace of mind of the individual than to his or her standing in the community.

Appropriation

Finally, the appropriation tort prevents exploitation of attributes of a person’s identity for commercial gain. It arose in an unusual way, when the legislature in New York sought to overturn a decision by that state’s highest court. In a 1902 case, the New York Court of Appeals refused to recognize the privacy torts urged by Warren and Brandeis. The defendant had used an attractive woman’s picture, without her consent, to advertise flour. The decision denying her recourse brought a storm of disapproval, and the legislature passed a statute making it both a misdemeanor and a tort to use any person’s name, portrait, or picture in advertising or trade. Many other states passed similar such laws, and in other states courts adopted the tort as a part of the common law.

A successful suit under the appropriation theory must be based on use of the plaintiff’s identity, not just coincidental use of the same name. Something must tie the communication to a particular person. In statutory cases, the appropriation must be for pecuniary advantage, but the common law cases may not be so restrictive.

As Prosser emphasized, the four branches of the privacy torts are very different from one another, and they apply differently in different situations. But they are explicit privacy-protecting law that exists in most of the United States. They are important to consider and study, particularly given the focus on privacy as an important part of the distinct field of information policy.

The Privacy Torts as Information Policy

Though they have developed over 100 years, the privacy torts entered American legal culture very rapidly in historical terms, and they should continue to develop and evolve as common law doctrines do. Even more rapidly, American society has entered a new era: the Information Age. In this age, “information policy” has quickly become an important field of study and advocacy.

Despite their pre-industrial and Industrial Age origins, privacy and the privacy torts are clearly information policy. We can understand them better by considering them as such. Indeed, “privacy” itself needs to be recognized as a particular state of affairs having to do with information, rather than a confused jumble of different problems.

For too long, privacy has been a catchword for any number of concerns that face us as we enter the digital age. People commonly use the words “privacy” and “security” interchangeably, despite important differences. They refer to the serious crime problem of identity fraud as a “privacy” problem. And they object to spam — millions of e-mails sent in the absence of knowledge about the recipient — as an invasion of “privacy.” These significant information policy problems each relate to privacy in different ways, but they are not at the heart of privacy itself. In the absence of a useful definition, the term “privacy” has done more to frustrate than to help the people who want to solve these important policy problems.

Privacilla.org has proposed a definition of privacy that is intended to assist people working seriously to solve privacy-related public policy problems: Privacy is a subjective condition that exists when two factors are in place. First, one must have legal power to control information about one’s self. Second, one must have exercised that power consistent with his or her interests and values.

Importantly, privacy is a subjective condition. This means that individuals determine its contours for themselves based on their own highly personal wants and needs. Through experience, upbringing, and culture, each person develops a sense of privacy that is his or her own. One person can not tell another what his or her sense of privacy should be. Nor can legislators or regulators determine for an entire society what information practices deliver privacy to the people in it.

The first factor — the legal power to control the release of information — goes to the existence of choice, not how pleasant the choices are. In the private sector, people almost always have the ability to control information about themselves. By declining to deal with others or engage in commercial transactions that have unsatisfactory consequences for information, they can decide absolutely who receives information about them. A variety of laws like contract, trespass, burglary, and battery enforce people’s decisions to limit the access others have to information about them. Though it is not always easy to use, the existence of legal power to control information satisfies the first factor.

When dealing with governments, people rarely have legal power to control information. The data necessary to collect taxes, deliver benefits, and police citizens is collected by force of law. Data collected and held by governments — even if confidential “by law” — may be deemed categorically unprivate because governments have the power to change the terms under which information is held and used. This is why government can fairly be called the greatest threat to privacy. No slight is intended to the good motives of public servants when the observation is made that loss of privacy is a cost of government.

Exercising control of information — the second factor that delivers privacy — relies on an educated and aware population pursuing their own interests in the marketplace. We cannot presuppose what consumers want in terms of privacy and publicity. Many consumers are unaware of how the Information Economy works, and the fact that they are a part of it. Other consumers have made rational decisions to share information in exchange for lower prices, convenience, customer service, customization, and other benefits. Only educated, empowered, and responsible consumers can maintain privacy at the level and on the terms they want it. They do this by going where they want, speaking to whom they want, and transacting with whom they want on the terms they want.

Having captured “privacy” as an information policy, it is possible to consider the privacy torts in clearer relation to privacy itself. Each branch of the privacy torts protects interests with a different relation to privacy, and some blend into other legal doctrines.

Intrusion

The intrusion tort gives a cause of action to someone who has taken ordinary steps to control information about him or herself, but finds it defeated by the unusual or outrageous behavior of others. The woman intruded upon while giving birth, for example, had reasonably protected information about her appearance and condition by retreating to a closed room for the purpose of childbirth. By strong custom and by implicit promise, she was joined there only by people with a role in her aid and an obligation to remain silent or discreet about the things they observed. The man entering the room without permission, and not subject to these conditions wrongly defeated her exercise of control over sensitive personal information, and invaded her privacy.

When matters of less intimacy are revealed, behavior that may give rise to an intrusion cause of action may more closely resemble other torts and crimes. For example, someone who enters or peeps into an empty house, seeing nothing particularly provocative, may be more plausibly committing trespass or burglary than invading privacy. (The law of trespass is one of dozens of laws that protect privacy without direct reference to the concept. It gives legal force to people’s privacy-protecting choices to retreat into their homes and close their doors and curtains, preventing strangers from observing them.)

On its outskirts, the intrusion tort more closely resembles harassment or stalking. Repeatedly phoning a person or trailing a person in public have less to do with divesting them of control over information as divesting them of peace of mind. These behaviors do not fit too comfortably in the intrusion branch of the privacy torts.

Public Disclosure of Private Facts

The disclosure cause of action is probably most central to the proper conception of privacy. The existence of this tort means that people holding sensitive information about others have a legally enforceable obligation not to give that information needless publicity.

Our society has certain expectations about what can be done with such information, and anyone who does not publicize sensitive information about themselves may expect that others will treat such information with tact. The disclosure tort protects Americans’ privacy in hundreds of ways, even if they do not take special steps to protect themselves. The disclosure branch of the privacy torts provides a fundamental level of privacy protection: ordinary Americans living ordinary lives will not have sensitive personal information about them bandied about by anyone other than themselves.

False Light

The tort known as false light has little direct connection to the heart of privacy, clearly conceived. A publication that characterizes a person incorrectly, or that insinuates false negative information, has not defeated a person’s exercise of control over personal information. It has concocted incorrect information about the person. The law of defamation is designed to protect against harmful falsehoods, and the tort of false light privacy could be folded into defamation law.

Appropriation

The appropriation tort also appears to have little to do with the heart of the privacy concept. It requires no wrongful defeat of someone’s efforts to control information about him or herself. It only requires that the use of that appearance or identity be commercial in nature and that the use be without permission. It is closely related to a doctrine called the “right of publicity,” which protects a property right that notable figures have created in their names and identities. The appropriation tort could probably be folded into that body of law.

Each of the privacy torts are an important information policy. Examining the law — and the concept of privacy itself — as information policy may help us better understand and analyze them. Particularly the torts known as “intrusion” and “public disclosure of private facts” protect Americans’ privacy from interference by others.

Beyond understanding the contours of this privacy-protecting body of law, it is equally important to consider the implications of the state privacy torts for current policy debates.

Implications of the Privacy Torts

The privacy torts have significance to many elements of the public debate on privacy today. Policymakers at all levels of government, and in governments throughout the world, should be better aware of this privacy protection in the United States, and they should consider it carefully.

Comprehensive Baseline Protections that Allow Innovation

The privacy torts provide baseline privacy protections, below which no company or individual may go. They are not limited to any type of information or medium. They cover all information, including medical and financial information, and they apply equally to communications on or off the Internet.

The privacy torts give a cause of action only to individuals who have suffered harm. This means that they pick out only bad actors for punishment while allowing beneficial uses of information to go forward. The privacy torts do nothing to thwart innovative uses of information except require people to use reasonable caution about the effects on privacy of what they do.

This is the precise mix of characteristics that many politicians and bureaucrats claim to be pursuing in highly regulatory and inelegant, top-down information policy mandates. Under widely touted regulatory proposals at both the state and federal levels, entire uses of information — beneficial or not — would be cut off or curtailed to try to get at privacy protection.

The practical effect of existing U.S. law bears repeating: The privacy torts provide baseline privacy protections in all media and pertaining to all subjects. They pick out bad actors for punishment, while allowing beneficial uses of information to go forward.

Unfortunately, many people who should be aware of this law and its implications have not been. The quality of the privacy debate has suffered as a result.

Attention Public Officials: Privacy Protection Already Exists

Domestic U.S. officials who are proposing new privacy legislation and regulation should be aware that they are not operating in a vacuum. The baseline protections of the privacy torts combine with corporate peer-pressure and increasing consumer awareness to make the United States a worldwide leader in private-sector privacy protection. As the U.S. Department of Commerce said in a July, 2000 memorandum to the European Commission, “The right to recover damages for invasion of personal privacy is well established under U.S. common law.”

Officials in foreign governments and international bureaucracies must also be made aware that their highly regulatory, highly prescriptive, and largely unenforceable proposals are a weak alternative to the privacy protections available to consumers in the United States. Their efforts to capture a complex social phenomenon like privacy in law and regulation have been an uninspiring failure.

The Role of Privacy Advocates in Perpetuating Ignorance

The relative ignorance of many officials and policymakers to existing U.S. privacy law cannot be blamed on them alone. They appropriately rely on many sources for information, among them privacy advocates. Many pro-regulation privacy activists and so-called consumer advocates have disinformed Congress and the public about the existence of privacy protections for consumers. They have fostered a degree of hysteria by encouraging the impression that consumers are completely unprotected by existing law.

For example, the Electronic Privacy Information Center’s 2000 Privacy and Human Rights book states flatly “The U.S. has no comprehensive privacy protection law for the private sector.” (At the end of the same paragraph, a brief sentence acknowledges the privacy torts’ existence.) Knowing of the baseline protections created by the privacy torts, EPIC officials have testified to Congress that “virtually no meaningful [online privacy] protections are in place.”

Other privacy advocates have abetted regulators in acting with intentional ignorance of the privacy torts. In December 1999, when it promulgated its sweeping regulation of health care information practices under the Health Insurance Portability and Accountability Act, the Department of Health and Human Services mentioned the existence of the privacy torts twice, even noting that state tort law allows patients to hold health care providers accountable for some unauthorized disclosures of health information. But it relied on and quoted a study by the Institute for Health Care Research and Policy at Georgetown University to find that “‘state laws, with a few notable exceptions, do not extend comprehensive protections to people's medical records.’” The study came to this conclusion by specifically excluding state common law.

There are baseline privacy protections in state common law. The suitability of the privacy torts are a matter of opinion, though, that should be openly debated and discussed. If the tort law is inadequate, this does not mean that it does not exist. Advocates who have allowed lawmakers and regulators to move forward without fully considering the privacy torts have been less than candid with these public officials and breached the trust invested in them. Congress, state legislatures, and international bodies should be more skeptical of what they hear from advocates in privacy debates.

Important Criticisms Exist

The privacy torts are discussed far too rarely, and dismissed too easily by policymakers. But there are important criticisms of the privacy torts that should be considered.

One is that the privacy torts are too weak — that they do not protect consumers from enough of what happens with information today. Unfortunately, this point is rarely made directly. As discussed above, advocates have preferred to act as though the privacy torts do not exist so they can push lawmakers to enact a whole range of information policies cut from whole cloth, only some of which have to do with privacy.

Those who advocate such views have failed to articulate a new theory of privacy that would benefit American consumers more than existing law. They should say how the privacy torts are deficient — how consumers are being harmed legally today. Advocates of heavy regulation have yet to come forward with any new theory of privacy that is even close to coherent.

A related criticism is that there are few successful lawsuits under the privacy torts. This suggests that the amount of successful litigation is a proxy for privacy protection. Others suggest that the privacy torts are dying out.

It is true that there are few lawsuits, and even fewer successful ones, under the privacy torts. But this may be precisely because the privacy torts are good law. An ingrained part of our social and business culture is that we do not reveal personal information about others so as to expose them to public humiliation or ridicule. The outrage that companies spawn when they do so, or even threaten to do so, is evidence of this strong cultural norm. The baseline protections for privacy in the tort law reflect this culture. Both the cultural rule and the law are widely obeyed.

It is wrong to count lawsuits or enforcement actions as a measure of the quality of law. Consider what would happen if local politicians rated traffic laws a success because police were issuing a large number of tickets. An enraged electorate would rightly bounce them out of office. Extensive litigation is just as much an indicator that something is wrong with the law than that something is right. Laws like the privacy torts must be judged on qualitative factors like whether consumers are being harmed by lawful information practices.

The relatively low level of successful litigation under the privacy torts should give comfort to businesspeople that are especially sensitive to the threat of legal liability. Those criticizing the privacy torts because they do not spawn enough litigation probably object to the substantive protections of this law. If they believe the baseline protections should be raised, they ought to say so directly and articulate what is inadequate about existing protections.

Another argument is that the privacy torts have been weakened by Supreme Court cases under the First Amendment. It is true that the privacy torts give way when freedom of speech is implicated. Our Constitution gives a higher priority to speech about matters of public concern than to the power of individuals to maintain privacy. But all other methods of protecting privacy share the same flaw. Indeed, highly regulatory attempts to protect privacy by banning information-sharing interfere with speech even more than the privacy torts. The quantity of speech they would ban is much larger, and it is not limited to speech that causes harm. Arguments against the privacy torts based on the First Amendment are really arguments for placing privacy ahead of the First Amendment and freedom of speech.

The Superiority of Litigation to Administrative Regulation

The privacy torts help demonstrate that using litigation to protect privacy is dramatically superior to using regulation aimed at the same ends. Prescriptive regulation is an appropriate model for protecting the public in only a limited number of circumstances, such as when there is a high risk of danger to human life and health, when preventing risk requires a high degree of technical expertise, or when creators of risk can not be identified and required to reduce this externality (i.e. air pollution and some water pollution). Privacy does not fit these categories.

Prescriptive regulation may be called for where there is significant risk to human life or health because the injuries people may suffer are irreversible or deadly. This makes compensation after the fact impossible or insufficient. Though suffering a privacy violation can be devastating, information policy can not be fairly characterized as an area of significant danger to human life or health. In medical devices, for example, prescriptive regulation can cut down on risk by requiring new innovations to be reviewed and approved before use. Society bears a significant cost for this type of regulation; it can easily thwart innovation that itself would improve and extend life. Many regulatory proposals aimed at privacy follow this same model — essentially preventing “unapproved” uses of information to prevent unidentified potential harms.

Though privacy is important, this approach would be overkill, and it probably runs contrary to increasing overall social welfare. Information practices are evolving rapidly in light of the growth of the Internet and digital technologies. They should not be cabined at this early point, before we learn all the good things that can be done with information. Administrative regulation aimed at privacy would tend to lock in information practices that exist today, and deprive consumers of the benefits that future innovations would inevitably bring.

Privacy is also emphatically not an area where preventing risk requires a high degree of technical expertise. Privacy is a social construct, not a technical matter. People’s definitions of privacy are subjective; in each individual, privacy competes with other interests. Privacy is also constantly changing for individuals and for society as a whole. Attempts to treat privacy as a technical matter are foolishness.

Experience under the federal Gramm-Leach-Bliley Act has shown this to be the case. Under that law, financial services companies are required to provide customers with a notice and opt-out that, in the end, allows them to decline advertising tailored to their particular circumstances. The attempt to capture privacy in a “notice-and-choice” regime has done almost nothing to deliver real privacy to real people, though it may have briefly excited the rigidly anti-commercial privacy activists.

Attempting to refine “notice and choice” is a technocratic approach that can not succeed. Responding to the privacy interests of individuals, or society as a whole, is a matter of social skill and perhaps artistry — not technical capability. Companies that explain the value of information sharing to consumers, while assuring their comfort and safety, will deliver privacy on the terms that consumers desire. They should be free to try any way they want without being straight-jacketed by “notice and choice.”

Experiments with statutory privacy regulation at the federal level have been particularly disastrous because of the privacy-eroding provisions privacy legislation has contained. The Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act were both passed under claims that Americans’ were getting greater privacy protection. But both of these laws preserved and reinforced the power of governments to delve into citizens’ personal and private medical and financial information.

At least privacy protection through litigation does not make disingenuous claims to be protecting privacy while guaranteeing the power of governments to collect and use Americans’ personal and private information. Pro-regulation privacy activists, burned several times in the legislative and regulatory processes, have not yet learned to stay away.

Protecting privacy through litigation appears to be a vastly superior approach to prescriptive legislation and regulation. Advocates of regulation need to use a great deal more caution. Businesses interests that seek to make productive use of personal information should also use caution around legislative proposals.

Be Cautious With Preemption

The protections provided by the privacy torts have a dual effect on current debate about whether there should be federal preemption of state privacy law in the U.S. Federal lawmakers are considering whether a welter of state privacy laws would hamper commerce. This would justify sweeping aside such laws under the authority given by the U.S. Constitution’s Commerce Clause. The business community is weighing whether they would be better off with a single federal privacy standard, accompanied by preemption of state law.

First, federal preemption of the state privacy torts would be a significant and objectionable retreat for privacy protection in the United States. Any preemption should be limited to regulatory statutes — not the baseline privacy protections provided by the state privacy torts. Because some states adopted the privacy torts by statute, preempting state privacy statutes would not be appropriate. Rather, any preemption should go to state regulation that attempts to prevent harm indirectly by dictating information practices. The privacy torts address harms directly by giving consumers a cause of action when they are injured.

Second, greater knowledge of the existence and force of the privacy torts should reduce the pressure on state legislators to pass unwise regulatory privacy legislation. This, in turn, should reduce the need for preemption. In other words, there should not need to be preemption because states should not perform experimental surgery on their economies in the name of privacy.

Additionally, because most state privacy proposals would have significant extra-territorial effects and operate as regulation of national markets, they are likely ultimately to be stricken under the Supreme Court’s “Dormant Commerce Clause” jurisprudence. The Court has found that state legislation having the effect of regulating national markets is unconstitutional. Congress should affirm this doctrine and make it an explicit enactment under the Commerce Clause not limited to privacy.

Preemption of most state privacy legislation following the prescriptive regulatory model would be a matter of indifference to clear-thinking privacy advocates because none of this type of legislation particularly helps real people achieve greater actual privacy.

Consumer Awareness is Still the Only Solution

The only thing that can deliver privacy on the terms consumers want it is action by consumers themselves. Consumers should be more aware of the true threats to their privacy, the laws that protect their privacy, and the laws that protect them from other harmful uses of information. Too much hype has been given to privacy threats that exist online and in the market for consumer information. Happily, consumers have seen through it and continue to go online, while businesses have learned what information practices consumers will and will not tolerate.

Putting aside that government — not business — is the most important threat to their privacy, consumers need to continue learning the information that allows them to make intelligent, privacy-protecting decisions in the marketplace. There is no alternative to active, intelligent consumers for delivering privacy on the terms consumers want. They also need to be aware that existing law protects their privacy in important respects. What they do with that information is up to them. Anyone who presumes to know what consumers wants demonstrates their own foolishness and contempt for consumers by doing so.

Conclusion

Privacy is an exceedingly complex topic. The term itself has never been satisfactorily defined, and it has not found its proper place in rational discussion of various contemporary information policies. The term “privacy” is brandished in debates about a variety of different concerns people have as we enter the Information Age.

The state privacy torts provide explicit baseline protections for privacy at the same time as they allow innovative new uses of information to occur. For the most part, they have been unsung as privacy protecting law in the United States.

The ignorance of many key players in privacy policy has been abetted by privacy activists and self-styled consumer advocates. They have contributed to widespread ignorance of existing privacy law and fostered a level of hype about privacy threats in order to advance a suite of information policies that range widely across the landscape.

Legislators, bureaucrats, the press, and the public should be better aware of the explicit privacy protection available in the United States through the privacy torts. This knowledge will help consumers know better when their privacy is threatened and when it is safe. And it will help dissuade legislators from experimental legislation clumsily aimed at delivering privacy by dictating information policy.

The existence and meaning of the state privacy torts is one of many factors that remain to be considered in our collective effort to respond to the privacy challenges we face in the Information Age. Our future holds great promise, and more of the benefits of the information economy will be available to more people if we face these challenges intelligently and with better awareness of the law that already protects us.

The following list of key cases, statutes, and other sources should serve as a starting point for determining the status of the privacy torts in each state’s law. Most states have adopted the privacy torts by common law or statute. In some, the privacy torts are established through interpretation of the state’s constitution. A few states have adopted some branches of the privacy torts but not others. Still other states have declined to adopt these privacy protections at all.

New YorkRoberson v. Rochester Folding Box, 171 N.Y. 538, 64 N.E. 442 (1902)
N.Y. CIV. RIGHTS LAW §§ 50, 51 (interpreted to limit recovery for violation of privacy only to those acts making commercial use of one’s name or likeness)